Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020. The CCPA is the most onerous data privacy law in the United States, similar in many aspects to the European Union’s General Data Protection Regulation (GDPR) that went into effect on May 25, 2018. The Act broadly expands the rights of California residents and requires covered businesses to comply with strict requirements on how they collect, use, and disclose “personal information” of California residents.

The legislative circumstances surrounding the CCPA enactment are troubling. This major piece of legislation was introduced and passed unanimously by the California legislature in 72 hours. The legislature was essentially hijacked by a wealthy sponsor of an even stricter ballot initiative who reportedly spent over $3 million to get his version of a privacy law on the November ballot. Rather than risk approval of the ballot initiative (where voters can directly enact laws), the legislature struck a “deal” with the sponsor and quickly passed a compromise bill.

Covered Businesses – The Act applies to businesses located anywhere in the world that possess personal information on California residents and (1) have annual revenue greater than $25 million; or (2) sell or share the personal information of 50,000 or more consumers, households or devices; or (3) derive 50% or more of annual revenue from selling consumers’ personal information. The Act does not apply to non-profit organizations such as trade associations, professional societies, charities and religious organizations.

Personal information is broadly defined to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Covered businesses will have to ensure Californians’ right to privacy by giving consumers:

the right to know what personal information is being collected

the right to know whether their personal information is sold or disclosed to others

the right to access their personal information and request its deletion

the right to ban the sale of their personal information

the right to non-discriminatory access to service and price from businesses even if they assert their privacy rights

Click here to read the CCPA text, and a legislative counsel’s digest of the Act.

Enforcement

The California Attorney General is charged with enforcing and issuing regulations to help explain or even modify the CCPA. Civil enforcement actions can result in penalties of up to $7,500 for intentional violation or $2,500 per unintentional violation, if not remedied within thirty days following a notice of violation.

The CCPA also grants a private right of action – including class actions – by California residents if their personal information is subject to unauthorized access, disclosure or theft. Penalties between $100 to $750 per resident or incident may be assessed if the Attorney General declines to bring an enforcement action.

Concerns

The CCPA has the potential to become a template for a Federal privacy law, or for one or more States enacting their own version. A benefit of a Federal law would be the express preemption of state privacy laws. Conflicting state privacy laws could impose a ruinous burden on businesses engaged in interstate commerce.

Many U.S. businesses are still reeling from the costs and burden of bringing their data use and management processes and consumer notices into compliance with the European Union GDPR. Compounding businesses’ compliance burdens, the Act is already undergoing changes, and regulatory guidance, even if helpful, is months away.